rkt Design Proposals

rkt trust

Before executing a remotely fetched ACI, rkt will verify it based on attached signatures generated by the ACI creator.

Before this can happen, rkt needs to know which creators you trust, and therefore are trusted to run images on your machine.
The identity of each ACI creator is established with a public key, which is placed in rkt's key store on disk.

When adding a trusted key, a prefix can scope the level of established trust to a subset of images.
A few examples:

# rkt trust --prefix=storage.coreos.com

# rkt trust --prefix=coreos.com/etcd

To trust a key for an entire root domain, you must use the --root flag, with a path to a key file (no discovery).